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Who makes this ? 


Hil [^m Sulial T look kind of like this: 


we id 
T m Y 


T found out last year that understanding your 


Operating system's intecnals a little more makes you 





sy 






WAN BETTER 
PROGRAMMER 


Jay h g 9 
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and it was SO FUN and 1 wanted to tell 
EVERYONE. So Im telling you | UU, vl 


blog: Myns. ca 


| | 
Ture moe lygHer: @b@0rk —: 
like this at | 


— 
— — 
Mean dum. mur. Rum. "Ru 6P: ibi gr Sana mum Rug A 


Resources + FAQ 


Tre written like F posts o bout 
Slrace because T. have an 
un healthy obsession. They're at 


we —— — l m e  — — m a 1 


1 Jvn$.ca. [categories /stro.ce. į 
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(In) Frequently asked questions: 


Q: Is there strace on OS X? 


> 


A: No, but try dtruss/dtrace Y 
Q: 
A 


: Yup! If you do, you ll find ouF that strace uses 


Can L strae strace? 


the ptrace system call to do its magic. 


* Should 1 strace my production database? 
> NONONONO. T+ will slow down your 


database a LOT. 


: Ts therea way To trace System calls 


that won't slow down mu programs? 


: Sometimes you can use ‘perf trace! on 


newer Linux versions 
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what is this strace thing 7??? 


G 
u d of 2 Q 
Pess -trace A a raa SY 
A ae e Me 
| strace | IS a program on Linux c 


Spy on 


that lets yOu inspect what a program 
iS doing withoot 


- a debugger 

-or the source code 

"Dr even Knowing the prog ramming 
language at all (21121 how can it be!) 


Basically strace makes you a 


\A “4 re cry 


MIZ AR DS dU 


T4544 "EP 


To understand how this works, let's 
l HS akan € 





] 
Y ! Sometimes Tm looking at the output 
| Of arecvfrom and it's like 
is T i n 
dox iy] recvirom (6, “And then the monster... ) 
3 | Ond OH NO THE SUSPENSE 


iStrace -s 800. | will show you the first 

| $00 characters of each string. T use 
Le es 4 . 

| LT all the time K 


Lets qet real. No matter what, strace 
prints too much damn output. Use 


is for 
output ! 
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pe 
' Strace -o too. much. sloff. txt. | 
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and sort through it later. 


; Hove no idea which file the file 

|. descriptor “3” refers to? 1-y i is 

i G flag in newer versions of strace and 
l 
' 


il show you filenames instead of just 
numbers! 


Putting it all together: 


Want to spy on a ssh session? 
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See what files o. Dropbox sync process is opening? 
(with PID: 230) 
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'Strace -f -p230 -e open ; 
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but wait, Sulia, how do m 
Use all this great stuff the 
Operating system does ¢ 
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infer Lac 
System calls are the Ree Gap 


LAR UC operating System 


| = to open a file? use and then 
and wate) to it 


Sending dota over o. network? Use 
To open & connection and and 
pictures of cats. 


Every program on DUE Com puter is using 
Sustem calls allthetime to manage memory, 


write Files, do networking, and lots more. 


connect 


CUOIOIO® 10100 N 

1 
| Sendto `° 
Oo o 
° + o 
o o 
° recvfrom ! 


l 
QOUO10l60 101000 


x x 
execve 
M * 


e 


L strace -f -e execve ./script.rb E 


Sometimes a program is Sending 
network requests to another machine 
and Í want to Know WHICH MACHINE. 


——————————— 
_ 


Strae -e connect. 


` 
` 
, 
` 


Shows me every IP address a Program 
connects to. 


What's fun? Spying on network activity 
is Fun. If you have a HTTP service and 
you're debugging and totally at your 
wits' end, maybe it's time to look at 
What's REALLY EXACTLY being sent 
over the network... 


these are your pals Q 


On my first dau of work, a Ruby 
Script thot ran some ssh commands 
wasn't working. Oh nol 


But who wants to read code to find 
Out why? ugh. 


—— —— —— - - 


told us what the problem ssh 
Command was, and we fixed it! 
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annotated strace 


When You run strae, You'll see thousands of lines of 
out pot like this: 


$ strace ls /home/bork/blah 
execve("/bin/ls", ["ls", "/home/bork/blah"], [/* 48 vars */]) = 0 


brk(0) - 0x172c000 
stat("/usr/local/lib", (st mode-S _IFDIR|0755, st size-4096, ...}) = 0 
open("/etc/ld.so.cache", O_RDONLY|0_| CLOEXEC) = = 3 

fstat(3, {st_mode=S_IFREG|0644, st_size=180820, ...}) = 0 

mmap(NULL, 180820, PROT_READ, MAP_| PRIVATE, 3, 0) = 0Ox7fe04e3f7000 
close(3) = 0 


open("/proc/filesystems", O RDONLY) = 3 fstat(3, (st mode-S IFREG|0444, st size 
mmap(NULL, 4096, PROT READ|PROT WRITE, MAP PRIVATE|MAP ANONYMOUS, -1, 0) = 
0x7fe04e423000 

read(3, „nodev\tsysfs\nnodev\trootfs\nnodev\tr". ., 1024) = 334 


read(3, "", 1024) = 0 

close(3) = 0 

stat(" /home/bork/blah" » {st_mode=S _IFDIR|0775, st_size=4096, ...}) = 0 
openat(AT_FDCWD, "/home/bork/blah", O RDONLY|O NONBLOCK|O.DIRECTORY|O. CLOEXEC) = 3 
getdents(3, /* 3 entries */, 32768) - 80 

getdents(3, /* 0 entries */, 32768) = : 

close(3) E 

fstat(1, (st mode-S IFCHR[0620, st rdev- dM. 4),...])290 


mmap(NULL, 4096, PROT READ|PROT WRITE, MAP PRIVATE|MAP ANONYMOUS, -1, 0) = 
0x7fe04e423000 

write(1, "awesome fileWn", 13) 
close(1) 
munmap(0x7fe04e423000, 4096) 
close(2) 

exit group(0) 


Studies show this is not self-explanatory 


(me Asking my Friends if it makes sense and NOPE NoPE) 
AK let's learn how to interpret strace output X 


11999, execve(“/usr/bin/ssh’, L"ssh', “jvns-ca J) a 
6 `o ~~ i — 

© The process LO (included when you run strace -f) 

( The name of the system call (execve starts programs M 


3 


1 
0 
0 
0 
? 


Q The system calls arguments, in this case a program to 
start and the ar gum ents to start it with 
G) The return valve. 


still Ka —" 
syscall filetoopen read/write permissions 


N 
open(" awesome.txt’, O_RDWR) = 3 descriptor 


The 3 here isa file descriptor number; Internally, 


Tn tracks open Files with numbers V You can see oll 
the file descriptors for process ID 42 and whot 
they point to by doing 


goose ces Se ‘od wee ad^ ° 
Is -1 [proc 42/88 | gue H 


. prot 
as ese? ber of 
$i what got read number o 
+ 


» x bytes read 
read (3, “wow! yay! )=q 
TF you don't understand something in your strace out put : 


° ils normal! There are lots of syscalls. 
* try reading the man ps Tor the system call} 


Gorm AC 


(man Z open ` ^ 


M llo a= < TT 


* remember thot jest understanding 
read + write + Open Y execve 


Can take You a long way v 


